Android逆向之利用Xposed为应用增加权限

利用Xposed删除权限

这个已经有人实现了，就是Xposed的作者，我们就先来研究研究他是怎么实现的,先上他的实现代码

public class PackagePermissions extends BroadcastReceiver {    private final Object pmSvc;    private final Map<String, Object> mPackages;    private final Object mSettings;    @SuppressWarnings("unchecked")    public PackagePermissions(Object pmSvc) {        this.pmSvc = pmSvc;        this.mPackages = (Map<String, Object>) getObjectField(pmSvc, "mPackages");        this.mSettings = getObjectField(pmSvc, "mSettings");    }/*这个函数主要hook了 PackageManager 服务（负责系统中Package的管理，应用程序的安装、卸载、信息查询），实现了通过监听我们自己发出的广播，拦截权限授予功能来进行修改apk的权限的*/    public static void initHooks() {        try {            final Class<?> clsPMS = findClass("com.android.server.pm.PackageManagerService", XposedMod.class.getClassLoader());//获取这个PackageManager类            //注册监听广播,监听我们的设置更改，以实现立即应用设置            findAndHookMethod(clsPMS, "systemReady", new XC_MethodHook() {                @Override                protected void afterHookedMethod(MethodHookParam param)                        throws Throwable {                    Context mContext = (Context) getObjectField(param.thisObject, "mContext");//这个应该是系统的上下文，具体待研究                    mContext.registerReceiver(new PackagePermissions(param.thisObject),                            new IntentFilter(Common.MY_PACKAGE_NAME + ".UPDATE_PERMISSIONS"),                            Common.MY_PACKAGE_NAME + ".BROADCAST_PERMISSION",                            null);//注册广播                }            });//拦截PackageManager类中的grantPermissionsLPw函数            findAndHookMethod(clsPMS, "grantPermissionsLPw", "android.content.pm.PackageParser$Package", boolean.class,                    new XC_MethodHook() {                @SuppressWarnings("unchecked")                @Override                protected void beforeHookedMethod(MethodHookParam param) throws Throwable {                    String pkgName = (String) getObjectField(param.args[0], "packageName");                    if (!XposedMod.isActive(pkgName) || !XposedMod.prefs.getBoolean(pkgName + Common.PREF_REVOKEPERMS, false))                        return;                    Set<String> disabledPermissions = XposedMod.prefs.getStringSet(pkgName + Common.PREF_REVOKELIST, null);                    if (disabledPermissions == null || disabledPermissions.isEmpty())                        return;                    ArrayList<String> origRequestedPermissions = (ArrayList<String>) getObjectField(param.args[0], "requestedPermissions");                    param.setObjectExtra("orig_requested_permissions", origRequestedPermissions);                    ArrayList<String> newRequestedPermissions = new ArrayList<String>(origRequestedPermissions.size());                    for (String perm: origRequestedPermissions) {                        if (!disabledPermissions.contains(perm))                            newRequestedPermissions.add(perm);                        else                            // you requested those internet permissions? I didn't read that, sorry                            Log.w(Common.TAG, "Not granting permission " + perm                                    + " to package " + pkgName                                    + " because you think it should not have it");                    }                    setObjectField(param.args[0], "requestedPermissions", newRequestedPermissions);                }                @SuppressWarnings("unchecked")                @Override                protected void afterHookedMethod(MethodHookParam param) throws Throwable {                    // restore requested permissions if they were modified                    ArrayList<String> origRequestedPermissions = (ArrayList<String>) param.getObjectExtra("orig_requested_permissions");                    if (origRequestedPermissions != null)                        setObjectField(param.args[0], "requestedPermissions", origRequestedPermissions);                }            });        } catch (Throwable e) {            XposedBridge.log(e);        }    }    @Override    public void onReceive(Context context, Intent intent) {        try {            // The app broadcasted a request to update settings for a running app            // Validate the action being requested            if (!Common.ACTION_PERMISSIONS.equals(intent.getExtras().getString("action")))                return;            String pkgName = intent.getExtras().getString("Package");            boolean killApp = intent.getExtras().getBoolean("Kill", false);            XposedMod.prefs.reload();            Object pkgInfo;            synchronized (mPackages) {                pkgInfo = mPackages.get(pkgName);                callMethod(pmSvc, "grantPermissionsLPw", pkgInfo, true);                callMethod(mSettings, "writeLPr");            }            // Apply new permissions if needed            if (killApp) {                try {                    ApplicationInfo appInfo = (ApplicationInfo) getObjectField(pkgInfo, "applicationInfo");                    if (Build.VERSION.SDK_INT <= 18)                        callMethod(pmSvc, "killApplication", pkgName, appInfo.uid);                    else                        callMethod(pmSvc, "killApplication", pkgName, appInfo.uid, "apply App Settings");                } catch (Throwable t) {                    XposedBridge.log(t);                }            }        } catch (Throwable t) {            XposedBridge.log(t);        }    }}

这段代码的地址

参考

1.AppSettingshook权限代码